In a lot of contexts I wouldn't mind an explicit whitelist. If somebody wants my email, they can let me know ahead of time how they'll be using it, and I can grant them permission to send me emails from a given source. Combined with DKIM et al it would eliminate many classes of phishing attacks and also deal with the email harvesting and spam problem.
I can definitely see this working for tech-savvy users on additional accounts. The problem with email is that it's still used/needed as the "universal" online way to establish/initiate correspondence with someone.
It's become used for person-to-person communications, as well as computer-to-person communications, and is probably one of the few standard, interoperable, near-ubiquitous means of reaching people, short of postal mail and carrier-provided services like SMS and voice calling.
While requiring people to know who they want to correspond with before the fact could be helpful, it also breaks a lot of popular use-cases for email - email is often written into contracts as a valid means of serving notice etc pursuant to the contract. Locking email down to only receive mail from approved senders would break a lot of things, but certainly help to prevent this kind of spam.
I wonder to what extent this could be reduced however by using unique per-use aliases - in a sense you can get a softer version of this whitelist by giving out per-sender inbox aliases, and therefore seeing which alias was used to send a message. Not quite sender authentication, but perhaps better than nothing. Doesn't prevent compromise of the underlying (human-to-human) email address, but would certainly help with a lot of phishing-type scenarios using breached customer records.
Yep, it wouldn't suffice for every use case. It would however have completely satisfied every use I've had for email so far (supposing the other parties would have been willing to furnish their addresses). Combined with your unique alias idea, you could have one or more whitelist-only aliases guaranteed to not have some kinds of spam and phishing alongside other aliases for other purposes.
Could you implement this whitelist on your side by simply having two inboxes? E-mails from addresses in your whitelist go to "Messages from known people", other e-mails go to "Messages from unknown people".
This wouldn't require any special action from other people. You would automatically be a bit more suspicious when looking into the "unknown people" inbox, and if you verify the author, you add their name into whitelist and automatically move all their e-mailt to the "known people" inbox.
You could also set it up this way for your less tech-savvy relatives, and ask them to call you immediately if they find something in the "unknown people" inbox.
